Bug 1795538 - Excessive permissions for prometheus-operator cluster-role
Summary: Excessive permissions for prometheus-operator cluster-role
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.4.0
Assignee: Sergiusz Urbaniak
QA Contact: Junqi Zhao
Depends On:
Blocks: 1805833 1805834
TreeView+ depends on / blocked
Reported: 2020-01-28 09:20 UTC by Sergio G.
Modified: 2020-05-11 10:56 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1805833 1805834 (view as bug list)
Last Closed: 2020-05-04 11:27:25 UTC
Target Upstream Version:

Attachments (Terms of Use)
prometheus-operator cluster-role file (21.27 KB, text/plain)
2020-02-03 07:00 UTC, Junqi Zhao
no flags Details

System ID Private Priority Status Summary Last Updated
Github coreos prometheus-operator pull 2974 0 None closed jsonnet/prometheus-operator: restrict api extension RBAC rules 2020-07-27 10:04:21 UTC
Github openshift cluster-monitoring-operator pull 637 0 None closed Bug 1795538: Fix excessive permissions for prometheus-operator cluster-role 2020-07-27 10:04:20 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:27:50 UTC

Description Sergio G. 2020-01-28 09:20:49 UTC
Description of problem:
The cluster-role prometheus-operator assigned to prometheus-operator service account has all (*) privileges over customresourcedefinition resources.

A quick review of the code doesn't justify this excessive permission level, which could be a security issue if the token of the service account is used to manage any of the defined customresourcedefinitions by editing them or deleting them.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Get the token of the service account:
 $ oc describe sa -n openshift-monitoring prometheus-operator 
 $ oc get token -n openshift-monitoring -o yaml <token>
 $ token=$( echo <token> | base64 -d )

2. Delete any CRD, using oauths.config.openshift.io as an example:
 $ oc --token=$token delete crd oauths.config.openshift.io

Actual results:
The OAuth CRD is deleted

Expected results:
The service account shouldn't be able to delete CRDs that aren't under its management.

CRD are objects which require special consideration and the permission over them should be scoped to the required verbs.

Comment 1 Sergio G. 2020-01-28 09:22:46 UTC
This is still the same in OpenShift 4.3, hence setting the release to it: https://github.com/openshift/cluster-monitoring-operator/blob/release-4.3/assets/prometheus-operator/cluster-role.yaml

Comment 12 Junqi Zhao 2020-02-03 07:00:46 UTC
Created attachment 1657289 [details]
prometheus-operator cluster-role file

Comment 33 errata-xmlrpc 2020-05-04 11:27:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.